hostapd authenticates but dhcpd doesn't give out address
Wed Jun 16 08:13:34 PDT 2004
Jouni Malinen wrote:
> What kind of RADIUS authentication are you talking about? Your
> configuration file seemed to be trying to use RADIUS for both MAC
> address based authentication and IEEE 802.1X authentication. While that
> is an allowed configuration, it sounds somewhat odd.
Ok, I'm starting to understand ... the hostapd does so many things,
I don't have all the parts of it figured out yet. Which parts are
mutually exclusive and which parts are complementary?
1) I can do MAC address authentication -
either locally (macaddr_acl=1/0) in the [accept|deny]_mac_file files,
or via RADIUS (macaddr_acl=2) to a separate server.
(Then it's a whole 'nother story how to set up one's RADUIS server
2) Or (and?) I can do username/password authentication via 802.1X -
by setting ieee8021x=1, minimal_eap=0, and auth_algs=0.
Where do the usernames and passwords get authenticated?
If I want that to also be via RADIUS server, I must enable WPA?
3) I can set up dynamic WEP, by setting
auth_algs=1|3, and the wep_key_len_* and wep_rekey_period values.
Static WEP would be the old way with "iwconfig wlan0 key ...", yes?
But either one conflicts with WPA, yes?
4) I can set-up WPA, shared-key or RADIUS/EAP. This has a pretty good
explanation in the hostapd.conf file about what else has to be set or
not set: 802.1x on, dynamic wep off, etc.
> Have you configured the clients to do IEEE 802.1X? What are you using as
> the EAP method? Why would there be a separate browser (as in web
> browser?) authentication after this? Or do you mean a dialog box for
> asking EAP authentication username/password?
Ok, good questions ...
For the hostapd beginner, who has available some hostap clients to
associate with this hostapd AP, how do I configure the client to do
802.1X? Where do I set the EAP method? Is this something I set in
hostap, or is this a separate program? Is this xsupplicant?
(Next, of course, is other clients, but that's for another day.)
Yes, a dialog box for authentication.
I thought this might be transparent to the clients, (as in: no new
programs to install,) just a quick registration/login process via a dialog
box on a web page, when the client tries to access anything.
I'd like to get username/password authentication working first,
then I'll see if I still want to add MAC authentication as an
additional/optional feature. I can envision a situation where
maybe certain known clients would not need to authenticate with
username/password, MAC would be enough but if a new/temporary
client shows up, then it could still play if it can provide a
> Like mentioned in an earlier reply, minimal_eap is not going to work
> here. If you want to use dynamic WEP keying, the selected EAP method has
> to generate keying material. If you wanted to use username/password
> instead of client certificates, you could try, e.g., EAP-PEAP/MSCHAPv2.
Ok, big mistake(TM) with the minimal-eap setting, I get that now.
I don't understand about client certificates. Where do I read how that
applies to hostapd?
WPA looks like what I should use for encryption, and since I've already
got a RADIUS server talking to hostapd, it should be do-able.
>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: start authentication
>>wlan0: STA 00:09:5b:2f:f6:b4 IEEE 802.1X: unauthorizing port
>>IEEE 802.1X: Sending EAP Request-Identity to 00:09:5b:2f:f6:b4 (identifier
> hostapd start IEEE 802.1X authentication with the station but the
> station does not seem to reply. It looks like the IEEE 802.1X Supplicant
> in the station is not enabled.
yes, it's not enabled until I enable it ... but how? Do I need
x-supplicant and wpa-supplicant on the station?
I've been happily using the hostap driver (AP and station mode) for
quite some time, but now I need to understand/use all these new features.
I'm re-reading, again, the README's etc., so hopefully I'll be over this
learning curve real soon. Sorry for being so ignorant.
Thanks a million for all the help so far,
More information about the Hostap